SLM Link

Privacy Policy

Español English

Privacy Policy

Last updated: April 2026

Data Controller: SLM Sistemas, S.A. de C.V. ("SLM", "we", "us")

Address: Retorno 7, Ext. 1, Floor 4, Conjunto Urbano Green House, Naucalpan de Juárez, State of Mexico, C.P. 52779, Mexico.

Privacy contact: privacidad@slm.cloud | +52 (55) 4162 3285

Data Protection Officer (DPO): dpo@slm.cloud

1. Introduction

SLM Link is a Communications Platform as a Service (CPaaS) that allows businesses to manage their messaging channels and social networks — including WhatsApp, Instagram, Facebook, Messenger and Threads — from a single interface and unified API.

SLM Link operates as a Tech Provider under the Meta Platform Terms: our primary purpose is to enable our customers (tenants) to access and use the APIs of Meta Platforms, Inc. to manage their messaging and presence on social networks.

This Privacy Policy describes how we collect, use, store, share and protect personal data, including data obtained through the Meta Platform ("Platform Data"), in compliance with:

  • The Federal Law on the Protection of Personal Data Held by Private Parties (LFPDPPP) of Mexico.
  • The Meta Platform Terms and Developer Policies.
  • The General Data Protection Regulation (GDPR) of the European Union, where applicable.
  • The California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), where applicable.
  • Any other legislation applicable depending on the user's jurisdiction.

2. Data we collect

2.1 Data provided directly

  • Registration data: name, email address, password (stored with Argon2id hashing), organization name.
  • Billing data: Tax ID (RFC), legal name, tax address (where applicable).
  • End-customer contact data: name, phone number, messages sent and received through the connected channels.

2.2 Platform Data — Data obtained through the Meta Platform

When our customers connect their business accounts through the OAuth flow managed by SLM Link, we obtain and process the following data from the Meta Platform ("Platform Data"):

Channel Data obtained Specific purpose
WhatsApp Business Phone numbers, WABA ID, Phone Number ID, messages (text, image, audio, video, document, location), templates, delivery statuses Allow the tenant to send, receive and manage WhatsApp Business messages through our API
Instagram Username, business account ID, posts, comments, direct messages, performance metrics Allow the tenant to manage Instagram messaging and publish content on their business account
Facebook Pages Page name, Page ID, posts, comments, Messenger messages, engagement metrics Allow the tenant to manage their page, respond to Messenger messages and publish content
Threads Username, account ID, posts Allow the tenant to publish content on Threads
Important: SLM Link processes Platform Data exclusively on behalf of and under the direction of each tenant, for the purposes described in this table. We do not use Platform Data for our own marketing or profiling purposes, nor do we share it between tenants. Each tenant has its data fully isolated.

2.3 Meta access tokens

When channels are connected, we obtain OAuth access tokens from Meta. These tokens are automatically exchanged for long-lived tokens and renewed in the background before expiration. Tokens are stored encrypted and isolated per tenant. They are never exposed to the end user nor shared with third parties.

2.4 Data collected automatically

  • IP address, user agent (browser), access timestamp.
  • Activity logs for auditing and diagnostics.
  • Strictly necessary cookies for the operation of the platform.

3. Purposes of processing

Primary purposes (necessary)

  • Provide the multichannel messaging and social network management service.
  • Authenticate and authorize access to the platform.
  • Process, send and receive messages through Meta APIs on behalf of the tenant.
  • Publish content on social networks on behalf of the tenant.
  • Connect WhatsApp, Instagram, Facebook and Threads accounts via OAuth.
  • Generate reports, analytics and usage statistics for the tenant.
  • Deliver real-time events to the webhook configured by the tenant.
  • Comply with legal and regulatory obligations.
  • Cooperate with audits and reviews required by Meta Platforms, Inc.

Secondary purposes (optional)

  • Send communications about service updates.
  • Improve the user experience through aggregated and anonymized analysis of usage patterns.
  • Provide technical support.

If you do not want your data to be used for secondary purposes, you can let us know at privacidad@slm.cloud.

4. Legal basis for processing

Under the LFPDPPP (Mexico)

  • Informed, free and specific consent granted upon registration and acceptance of these terms.
  • Contractual performance necessary to provide the contracted service.
  • Legal obligation when Mexican laws so require.

Under the GDPR (where applicable)

  • Article 6(1)(b): Performance of a contract to which the data subject is party.
  • Article 6(1)(a): Consent of the data subject for secondary purposes.
  • Article 6(1)(c): Compliance with a legal obligation.
  • Article 6(1)(f): Legitimate interests of SLM to improve the service and ensure security, provided the rights of the data subject do not override them.

Under the CCPA/CPRA (where applicable)

SLM Link acts as a "Service Provider" under the CCPA with respect to personal data of California residents processed on behalf of our tenants. We do not sell or share (as defined under the CCPA) personal information of consumers.

5. Data transfer and sharing

Your data may be shared with the following recipients, under the conditions described:

Recipient Purpose Safeguards
Meta Platforms, Inc. Necessary for the operation of the WhatsApp Business API, Instagram API, Facebook API and Threads API. Subject to the Meta Platform Terms.
Tenants (customers) Delivery of Platform Data collected on their behalf as a Tech Provider. Each tenant is contractually obligated not to process Platform Data in a way that violates the Meta Platform Terms (see Terms of Service, section 6).
Service Providers (infrastructure providers) Hosting, database, and services necessary to operate the platform. Each Service Provider agrees in writing to: (a) use the data only to provide services to us and under our direction; (b) not use the data for their own purposes; (c) delete the data when we stop using their services.
Competent authorities When required by law, regulation or judicial order. Evidence of the applicable legal request is retained.

We do not sell personal data or Platform Data to third parties.

We do not share Platform Data with third parties except in the circumstances described in this table, in compliance with Section 3.c of the Meta Platform Terms.

6. International data transfers

SLM Link operates infrastructure that may involve transferring data outside Mexico. When personal data is transferred to jurisdictions without an adequate level of protection:

  • For EU/EEA data: We use the Standard Contractual Clauses approved by the European Commission (Decision 2021/914), Controller-to-Controller module.
  • For UK data: We use the International Data Transfer Addendum approved by the ICO.
  • For data from Mexico: We comply with LFPDPPP requirements for international transfers, including data subject consent where required.

7. Data subject rights

ARCO Rights (LFPDPPP — Mexico)

You have the right to:

  • Access: know what personal data we hold about you.
  • Rectification: correct inaccurate or incomplete data.
  • Cancellation: request deletion of your data when no longer needed.
  • Objection: object to the processing of your data for specific purposes.

Rights under the GDPR (where applicable)

If you are a resident of the EEA or the UK, you also have the right to: data portability, restriction of processing, and to lodge a complaint with a supervisory authority.

Rights under the CCPA/CPRA (where applicable)

If you are a California resident, you have the right to: know what personal information is collected, request deletion, and not be discriminated against for exercising your rights.

How to exercise your rights

To exercise any of these rights, send an email to privacidad@slm.cloud with your full name, a description of the right you wish to exercise, and documents that prove your identity. We will respond within a maximum of 20 business days (Mexico) or 30 calendar days (GDPR).

8. Data deletion

You can request the complete deletion of your data through any of these mechanisms:

  • By sending an email to privacidad@slm.cloud.
  • Through the deletion link provided by Meta (Data Deletion Callback).
  • From your account settings within the platform.

Data will be deleted within 30 days from the request.

Additionally, we delete Platform Data in the following circumstances, in accordance with Section 3.d of the Meta Platform Terms:

  • When retaining the data is no longer necessary for a legitimate business purpose.
  • When the tenant ceases to operate or cancels their account.
  • When Meta Platforms, Inc. requests it for user protection.
  • When the end user requests deletion of their data or no longer has an account with the tenant.
  • When required by applicable law or regulation.

9. Data retention

Type of data Retention period
Tenant account data While the account is active + 30 days after cancellation
Messages and Platform Data Up to 12 months, or less if the tenant or user requests deletion
Meta OAuth tokens While the channel is connected. Deleted upon disconnection.
Audit logs 24 months
Data deleted upon request Purged within 90 days of the request

If a legal obligation requires retaining data for a longer period, we will retain only the data that is necessary and for the period required, keeping evidence of such requirement.

10. Data security

We maintain administrative, physical and technical safeguards designed to meet or exceed industry standards, in accordance with Section 6 of the Meta Platform Terms:

  • Encryption in transit: HTTPS/TLS on all communications.
  • Password encryption: Argon2id with random salt.
  • Digital signatures: HMAC-SHA256 for webhooks and OAuth tokens.
  • Data isolation: each tenant has its data completely separated (tenant isolation). Platform Data from one tenant is never mixed with another's.
  • Auditing: detailed logging of every action and access.
  • Access control: authentication via API key/secret validated in real time on every request.
  • Vulnerability reporting: you can report security vulnerabilities to seguridad@slm.cloud.

11. Security incidents

In the event of a security incident involving unauthorized access, loss, alteration or disclosure of Platform Data or personal data:

  • We will notify Meta Platforms, Inc. as soon as possible, in accordance with the Meta Platform Terms.
  • We will notify affected tenants without undue delay.
  • We will notify the competent authorities when required by applicable legislation.
  • We will initiate immediate remediation and cooperate with Meta and the authorities as appropriate.

12. Cookies

We use only strictly necessary cookies for the operation of the platform (session authentication). We do not use tracking, advertising, or third-party analytics cookies.

13. Minors

SLM Link is not directed at individuals under 18 years of age. We do not knowingly collect data from minors. If we become aware that we have collected data from a minor, we will delete it immediately.

14. Prohibited practices

In compliance with Section 3.a of the Meta Platform Terms, SLM Link does not engage in, nor does it allow its tenants to engage in, the following practices with Platform Data:

  • Discrimination based on personal attributes (race, ethnicity, religion, sexual orientation, etc.).
  • Eligibility determinations (housing, employment, credit, insurance, government benefits).
  • Surveillance of individuals, groups or events.
  • Sale, licensing or purchase of Platform Data.
  • Creation or enrichment of user profiles without valid consent.
  • Attempts to decode, re-identify or de-anonymize Platform Data.

15. Changes to this policy

Changes will be published on this page with the updated date modified. If the changes are significant, we will notify registered tenants by email. Continued use of the platform after publication of changes constitutes acceptance of the updated policy.

16. Regulatory authority

  • Mexico: The competent authority for personal data protection is the one determined by the legislation in force on the matter.
  • European Union: EEA users may file complaints with the supervisory authority of their country of residence. The competent supervisory authority under the Meta Platform Terms is the Data Protection Commission of Ireland.
  • United Kingdom: UK users may file complaints with the Information Commissioner's Office (ICO).

17. Contact

SLM Sistemas, S.A. de C.V.

Retorno 7, Ext. 1, Floor 4, Conjunto Urbano Green House

Naucalpan de Juárez, State of Mexico, C.P. 52779, Mexico

Privacy and ARCO rights: privacidad@slm.cloud

Data Protection Officer: dpo@slm.cloud

Security: seguridad@slm.cloud

General: info@slm.cloud | +52 (55) 4162 3285

© 2026 SLM Cloud · Privacy · Terms